Skip to content
JsWorkflows JsWorkflows Docs

Secrets & Environment Variables

Secrets are key-value pairs you store per workflow. They are encrypted at rest and exposed to that workflow’s code through the global env object.

Secrets are scoped to the workflow they are defined in. A secret added to one workflow is not accessible from any other workflow.

Storing a secret

Section titled “Storing a secret”
  1. Open a workflow in the code editor.
  2. Click More actions (top-right menu).
  3. Select Manage variables.
  4. Enter a name (e.g. SLACK_BOT_TOKEN) and its value.
  5. Save. It is then available in that workflow’s code as env.YOUR_KEY.

Accessing secrets in code

Section titled “Accessing secrets in code”

Read any secret by name via the global env object:

export class Workflow {
  async start(data, headers, api) {
    const slackToken = env.SLACK_BOT_TOKEN;


    await fetch('https://slack.com/api/chat.postMessage', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${slackToken}`,
      },
      body: JSON.stringify({ channel: '#orders', text: 'New order received' }),
    });
  }
}

You do not import env. It is already available globally in workflow code.

Platform-injected variables

Section titled “Platform-injected variables”

Two variables are always present on env in every workflow, regardless of what you have stored:

KeyValue
env.SHOPIFY_STOREYour store’s myshopify.com domain, e.g. "mystore.myshopify.com"
env.SHOPIFY_API_VERSIONThe latest Shopify API version configured for the app

When not to use workflow secrets

Section titled “When not to use workflow secrets”
  • Do not store Shopify Admin API access tokens here. When you call your store’s Admin API with fetch(), authentication is injected automatically.
  • Do not store rotating OAuth access tokens here. For connected OAuth services, use api.getOAuthToken(handle) instead.
  • Do not store normal non-secret configuration here unless it truly needs to be private. Use template config or regular constants for non-sensitive values.

Security

Section titled “Security”
  • Secrets are encrypted at rest.
  • Secrets are scoped to the individual workflow. No other workflow can read them.
  • Secret values are not intended to be shown in the editor UI, but your code can still expose them if you log, return, or send them to another system.
  • Deleting a secret prevents later workflow invocations from reading it.